Dynamic roles for business roles with incorrectly excluded identities
In the Manager, you can obtain an overview of all the dynamic roles with conflicting entries in the exclude list. This means that for at least one item in the list the following applies:
The dynamic role condition does not apply.
For example, this might occur if the dynamic role condition was changed after an identity was entered in the exclude list.
- OR -
The excluded identity is also assigned to the role in another way
such as through inheritance or direct assignment.
Check these entries and correct the assignments.
To check conflicting entries of business roles in the exclusion list
In the Manager, select the Business Roles > Troubleshooting > Dynamic roles with potentially incorrect excluded identities category.
Select the dynamic role in the result list.
Select the Exclude identities task.
In the exclusion list you can see which identities are affected by the given conditions.
For more information about editing the dynamic roles' exclusion list, see the One Identity Manager Identity Management Base Module Administration Guide.
Certification of business roles
NOTE: This function is only available if the Attestation Module is installed.
The certification status of business roles can be set manually or by regular attestation. To set certification status by attesting, configure the attestation policies accordingly.
To manually change the certification status of a business role
In the Manager, edit the business role's main data.
In the Certification status field, enter the required value.
- Save the changes.
To change the certification status of business roles by attestation
In the Manager, select the Attestation > Attestation policies category.
In the result list, select the attestation policy whose attestation runs will adjust the certification status.
If the certification status is to change to Certified when attestation is approved, enable the Set certification status to "Certified".
If the certification status is to be changed to Denied when attestation is denied, enable Set certification status to "Denied".
- Save the changes.
One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added business roles in the One Identity Manager database. Attestation is performed only for business roles with the New certification status. If the attestation is approved, the certificate status of the attested business role is set to Certified and otherwise, to Denied. If attestation was granted approval, it disables the Identities do not inherit option.
Attestation and certification is started automatically for business roles that were added with the Analyzer tool if the QER | Attestation | OrgApproval configuration parameter is set.
NOTE: If the attestation was denied, only the certification status changes. Other behavioral changes, for example in the inheritance calculation, are not associated with this and can be implemented on a custom basis.
This function is only available if the Target System Base Module is installed. For more information about certifying new roles and organizations, see the One Identity Manager Attestation Administration Guide.
Detailed information about this topic
Reports about business roles
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for business roles.
NOTE: Other sections may be available depending on the which modules are installed.
Table 23: Reports about business roles
Overview of all assignments
This report finds all the roles in which identities from the selected business roles are also members.
Show historical memberships
This report lists all members of the selected business role and the length of their membership.
Show products still to be approved
The report shows all products for a business role whose requests can be approved by the business role's members.
Business roles with high risk level
The report lists all business roles with a risk index equal or higher that the configurable risk index. The result can be limited to a specified role class. You can find this report in the Manager in the My One Identity Manager category.
Role mining in One Identity Manager
Business roles can be formed in two ways:
Analyzer uses the One Identity Manager program to make its own tools available for analyzing user accounts and permissions. The Analyzer supports analysis of business roles as well as the analysis of data quality with respect to the question: how well suited is the permissions data to partially automated role mining?
The Analyzer offers:
Automatic analysis of permissions assignments base on cluster analysis algorithms with different weighting.
Automatic analysis of existing structures and permissions of identities assigned in them
Manual analysis of certain identity groups for role mining
The aim of role mining is to replace direct permissions, which previously were only granted to users in individual application systems, with indirect ones. This allows permissions, which users obtain through role association to be defined across the application system. Analyzer’s aim is not only pure role mining but also classification of roles in a simple to administer hierarchical system. This can reduce the administration workload further and increase security for granting permissions.
To use role mining in One Identity Manager
NOTE: To use Analyzer for analyzing permissions, at least the Target System Base Module must be installed.